10-04-2024 08:04 PM
Hello Friends,
We have a customer who is not able to connect Global Protect VPN from IPAD device with error "could not verify the server certificate of the gateway" I revived the configuration and selected connection method as on-demand in the app setting of GP Portal and did commit. After commit, we were getting error "the network connection is unreachable or the portal is unresponsive". Then again I revived configuration in IPAD device and found that root certificate is not imported in that device. Then we tried to import the certificate in the IPAD device, we were not getting install option, we tried by both formats like PSCK12 & PEM but no luck, also we were not getting option to enable this. I suspect, We are encountering this certificate error is due to the root certificate not being present in IPAD device.
According to customer, he tried to installed the GP app from the Apple AppStore, which is officially released by Palo Alto. There is no mention in the guidelines on GP gateways or the AppStore about needing to install an additional root certificate on the device. If this is necessary, the option should be integrated into the GP app itself.
We also refereed the document to install the root certificate in IPAD device but I could not find the options mentioned in the documentation, as it references iOS 12, while the customer currently using iOS 16.7, and those options are no longer available.
My concern, do we really need to install additional root certificate in IPAD device to access internal resources while connecting to GP VPN, if this is necessary then why we are not able to import and enable root certificate in IPAD device. If it is necessary to install additional root certificate in IPAD device then please suggest me how to import and enable root certificate in IPAD device
Regards,
Chandrashekhar
10-04-2024 08:44 PM
If you aren't using a publicly trusted certificate then yes, this is expected behavior and you would need the iPad to trust your internal root certificate or the certificate that you generated on the firewall to use with GlobalProtect. You'll want to load the CRT that will present itself in the Settings app as a configuration profile. Once you've installed the profile you'll still need to go under Settings > General > About > Certificate Trust Settings and enable full trust for the desired root certificate that you just imported.
If you are going to have people connecting with personal devices I highly recommend getting an actual public trusted certificate for the portal/gateway that they'll be using. The only other option that actually scales is enforcing an MDM on personal devices connecting to GlobalProtect, which would allow you to trust the cert on the device automatically.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
